A biometric device authenticates an individual based on unique physiological or behavioral characteristics (e.g., fingerprint, iris, facial recognition). This technology is uniquely suited to control both physical and logical access. A biometric scanner can be integrated into a door lock to secure a physical area (e.g., a data center). The same biometric credential can be used to authenticate a user for logical access to a computer, network, or specific application. Because biometrics are based on "something you are," they provide a higher level of assurance and are more difficult to forge, lose, or steal compared to other methods, making them the best control among the choices.

A. Plenum: This is a space for air circulation in an HVAC system and has no function related to access control.

C. Identification card: While a smart card can be used for both, it represents "something you have" and can be lost, stolen, or duplicated, making it less secure than a biometric control.

D. Electromechanical lock: This type of lock is a purely physical access control mechanism and does not provide or control logical access to information systems.

1. The Institute of Internal Auditors (IIA)

Global Technology Audit Guide (GTAG) 1: Information Technology Controls

2nd Edition

2012.

Page 13

Section 3.3 Identity and Access Management: Lists "Biometric devices (e.g.

fingerprint

voice

retina

and facial scans)" as a primary authentication mechanism for logical access.

Page 20

Section 3.6 Physical and Environmental Controls: Lists "Biometric access controls" as a key control to "restrict physical access to facilities and devices to authorized personnel only." This demonstrates the dual application of biometrics for both logical and physical control.

2. The Institute of Internal Auditors (IIA)

Global Technology Audit Guide (GTAG) 4: Management of IT Auditing

2nd Edition

2018.

Page 20

Exhibit 6: Physical Security Controls: Mentions "Biometric devices" as a control to secure physical locations like data centers. The guide also discusses authentication for logical access

for which biometrics are a primary example of the "something you are" factor.

3. Jain

A. K.

Ross

A.

& Prabhakar

S. (2004). An introduction to biometric recognition. IEEE Transactions on Circuits and Systems for Video Technology

14(1)

4-20.

Section I

Introduction: The paper states

"A wide variety of applications require reliable personal recognition schemes to either confirm or determine the identity of an individual... These applications can be divided into... physical access control

such as... access to buildings... and logical access control

such as... access to remote applications..." The paper then details how various biometric systems fulfill these roles. (DOI: https://doi.org/10.1109/TCSVT.2003.818349)